Skip to content

returnCopy does not update the appropriate arg value within the event #4359

New issue
New issue
Open
Bug
Open
returnCopy does not update the appropriate arg value within the event#4359
Bug
@andrewstrohman

Description

@andrewstrohman
andrewstrohman
opened on Nov 19, 2025

What happened? How can we reproduce this?

With the following policy:

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: ret-test
spec:
  kprobes:
    - call: "sys_read"
      syscall: true
      args:
#      - index: 0
#        type: "int"
      - index: 1
        type: "char_buf"
        returnCopy: true
        sizeArgIndex: 3
      - index: 2
        type: "size_t"

The args in the events look like:

"args":[{"bytes_arg":""},{"bytes_arg":"read string"}]

This is happening here. enterArgs is ordered based on the ordering of the spec file -- it's not indexed based on the args position within the function signature.

So this issue happens when a returnCopy arg specifies an index that is not the same as that arg's offset within the policy.

retArg.GetIndex() has different semantics depending on what type of hookpoint is used. For uprobe and lsm, GetIndex() returns the position within the spec. For kprobe and usdt, GetIndex() returns the index value specified for the arg in the spec. Put another way, it's the arg position within the function signature.

Perhaps we should consider changing the semantics of GetIndex() for kprobe and usdt to be the same as uprobe and lsm, for consistency.

Tetragon Version

v1.7.0-pre.0-133-gb82408601

Kernel Version

6.8.0-87-generic, but the issue is not specific to kernel version.

Kubernetes Version

N/A

Bugtool

No response

Relevant log output



Anything else?


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    No labels
    No labels
    Type
    Bug
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions